In phishing, an automated form of social engineering, criminals use the Internet to fraudulently extract sensitive information from businesses and individuals, often by impersonating legitimate web sites. The potential for high rewards (e.g., through access to bank accounts and credit card numbers), the ease of sending forged email messages impersonating legitimate authorities, and the difficulty law enforcement has in pursuing the criminals has resulted in a surge of phishing attacks: estimates suggest that phishing affected 1.2 million U.S. citizens and cost businesses billions of dollars in 2004 alone [40].
Phishing also leads to additional business losses due to consumer fear. Anecdotal evidence suggests that an increasing number of people shy away from Internet commerce due to the threat of identity fraud, despite the tendency of U.S. companies to assume the risk for fraud. Also, many users now default to distrusting any email they receive from financial institutions [16].
The importance of the phishing problem has attracted much academic and industrial research. Many of the systems described below represent complementary approaches and could be used in conjunction with our system, particularly to help protect the user during account setup. We discuss related work in three categories: heuristic approaches, password modification, and origin authentication.
A popular initial approach for preventing phishing attempts is to use heuristics to find a pattern in phishing web sites and then alert the user if a given site matches the pattern. Several browser toolbars have been proposed to perform this function, for example SpoofGuard [5], TrustBar [18], eBay Toolbar [12], and SpoofStick [8]. Among other heuristics, these toolbars detect malicious URLs and inform the user about the true domain of the site visited. The Net Trust system incorporates information from users' social networks, as well as centralized authorities, to help users make decisions about a website's trustworthiness [15]. Unfortunately, heuristics are inherently imprecise and invite attackers to adapt to the defenses until they can bypass the heuristics. Such an approach can lead to an arm's race, with all of the problems it entails. In addition, Wu et al. found that 13-54% of users would still visit a phishing website, despite warnings from an anti-phishing toolbar [41].
Phishers often exploit the tendency of users to pick weak passwords and to re-use the same passwords at several websites. If a phisher obtains a password at a low-security site, they can use it to login to a high-security site as well.
One-time passwords are widely used in several contexts, including the S/Key system [17] and corporate uses such as Citibank [6]. The RSA SecurID system is a time-based one-time password, where the password is generated on a hardware token [34]. The user must enter the code in a web form and submit it to the server to show that the possesses the trusted device, but there is no server authentication on the user's part. In addition, the system is vulnerable to an active Man-in-the-Middle attack, since a phisher can intercept the value from the user and then use it to access the user's account. The PwdHash approach uses a cryptographic hash function computed on the user's password and the site name to derive a unique password for each site [33]. PwdHash is a promising system, but is ineffective against pharming or DNS spoofing attacks where a phisher presents the correct domain name to the browser but redirects the request to its server. In the case of DNS attacks, PwdHash will hand the correct password for the site to the phisher. Moreover, PwdHash does not prevent a phisher from breaking a weak master password using dictionary attacks.
Another approach is single-sign-on, where users sign in to a single site that will subsequently handle all authentications with other sites, but so far such systems have encountered consumer resistance, since they involve storing sensitive user data with a third party. If these services did grow in popularity, they would undoubtedly attract the same attention from phishers currently visited on individual sites. Another approach is “Verified by VISA,” where merchants redirect clients to a special VISA site which requires a username and password to authenticate the transaction [1].
Unfortunately, none of these approaches provide sufficient protection against Man-in-the-Middle attacks, particularly if the phisher also uses DNS spoofing. As the user enters personal information into the phishing website, the phisher can forward the information to the legitimate banking site. Once authenticated, the adversary has full control over the hijacked connection. Banks have already reported such attacks against their one-time password systems [29]. Our approach precludes such Man-in-the-Middle attacks because the cell phone and server mutually authenticate each other and establish a session key end-to-end.
In a class of countermeasures referred to as origin authentication, researchers propose user-based mechanisms to authenticate the server. Ideally, if the user arrives at a malicious website, he or she will detect that the phishing site is not the correct web site.
Jakobsson presents a theoretical framework for phishing attacks [19]. He also proposes better email authentication to prevent phishing email, in addition to better secrecy protection for user email addresses (such that phishers have a harder time harvesting email addresses from, for example, eBay).
The Petname project [39] associates a user-assigned nickname with each website visited. If the browser loads a page from a spoofed web site, the nickname will be missing or wrong—the approach relies on users to notice either case. In addition, users will likely choose predictable nicknames (e.g., nicknaming Amazon.com's website “Amazon”), making nicknames easy to spoof.
Dhamija and Tygar propose Dynamic Security Skins (DSS) to enable a user to authenticate the server [10, 9]. In their system, a server opens a user-customized popup window that displays an image only the correct server can produce. Similar to the Petname project, this approach relies on the user to perform the verification.
Myers proposes that servers display a series of images as users type their passwords [28]. It would be difficult for phishing sites to guess the correct sequence of images, and users know what images to expect. Again, this scheme relies on the user to perform the verification. Similarly, PassMark stores a secure cookie on the client and sets up an image associated with the account that the user should remember [30]. Unfortunately, PassMark is a proprietary system—they do not disclose a detailed description of their approach.
All of these approaches require user diligence—even a single mistake on the user's part will result in a compromised account. Several of these approaches are also susceptible to Man-in-the-Middle attacks since a phisher can simply forward information between the browser and the legitimate site.